CVE-2020-9289 — Hard-coded Credentials in Fortinet Fortianalyzer

CWE-798 — Hard-coded Credentials4 documents4 sources

Severity

7.5HIGHNVD

EPSS

1.0%

top 22.72%

CISA KEV

Not in KEV

Exploit

No known exploits

Affected products

Fortinet Fortianalyzer Fortinet Fortimanager Fortinet Fortimanager

Timeline

PublishedJun 16

Latest updateMay 24

Description

Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6.2.3 and below, FortiAnalyzer 6.2.3 and below may allow an attacker with access to the CLI configuration or the CLI backup file to decrypt the sensitive data, via knowledge of the hard-coded key.

CVSS vector

CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:N/A:NExploitability: 3.9 | Impact: 3.6

Affected Packages3 packages

▶NVDfortinet/fortimanager6.2.3

▶NVDfortinet/fortianalyzer6.2.3

▶CVEListV5fortinet/fortinet_fortimanagerFortiManager 6.2.3 and below

🔴Vulnerability Details

GHSA

GHSA-8832-m7jx-c7wv: Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6↗2022-05-24

▶

CVEList

CVE-2020-9289: Use of a hard-coded cryptographic key to encrypt password data in CLI configuration in FortiManager 6↗2020-06-16

▶

📋Vendor Advisories

Fortinet

Use of a hard-coded cryptographic key to cipher sensitive data in FortiOS configuration backup file may allow an attacke...↗2019-11-21

▶